When AI can "steal" faces, how safe is eKYC?


(Dan Tri) - Once a "shield" against financial fraud, eKYC is facing a big challenge when AI and deepfake can impersonate faces with increasing sophistication.
When Vietnamese banks simultaneously deploy biometric authentication for large value transactions from mid-2024, many people believe that this is an important step to prevent online fraud, rental accounts and property appropriation.

However, a report recently published by MIT Technology Review shows that worrying developments are occurring on the cybersecurity front.
Accordingly, on Telegram channels, many specialized toolkits have appeared to bypass the eKYC systems of banks, financial institutions and fintech platforms.
eKYC (Electronic Know Your Customer) is an online electronic customer identification and authentication technology. Instead of having to go directly to the transaction point, users can verify their identity 100% online anytime, anywhere via smartphone thanks to the support of Artificial Intelligence (AI) and biometric data.
However, now some tools are being promoted as capable of fooling the "liveness" check (checking real people), which is considered the most important defense layer in today's face authentication process.

Unlike traditional fraud methods that only use still images or video playback, new tools leverage AI, deepfake and image processing technology to create moving faces with expressions, gestures and reactions that closely resemble real people.
Recently, the Department of Cyber Security and Crime Prevention and Control using high technology in coordination with the Criminal Police Department and Hanoi City Police destroyed a network producing and trading malware capable of bypassing the biometric authentication system of some credit institutions.
According to the investigation agency, this group of people researched, developed and sold software to support bypassing biometric authentication steps in banking transactions.

What is remarkable is not only the technological capabilities of the software but also the fact that this tool has been commercialized and has a real trading market. That shows that biometrics are gradually becoming a new target for cybercriminals.
Previously, attacks mainly focused on stealing passwords, OTP codes or tricking users into providing account information. Now, faces, voices and biological identifiers are becoming "digital assets" as valuable as banking data.
eKYC is no longer an "absolute shield"
Talking to Dan Tri reporter, Mr. Ngo Minh Hieu (Hieu PC), a cybersecurity expert, assessed this as a very serious incident.

According to Mr. Hieu, many people have the incorrect notion that just using your face is enough to ensure safety.
In fact, eKYC is a process that includes many different layers of checking, from ID verification, facial recognition, liveness video authentication to device checking and data comparison with trusted information sources.
Weaknesses can appear at any stage in this chain.
"The weakness often lies in checking documents, portrait photos, liveness videos, terminal devices and data control processes. If the system only relies on facial photos or simple videos, and does not check well for signs of tampering, tampered devices, virtual cameras or data injected into the application, criminals can find ways to overcome," Mr. Hieu analyzed.

In other words, biometrics is not a "master key". The safety level of eKYC depends greatly on the quality of the anti-counterfeit algorithm, the ability to detect deepfake as well as the accompanying protection layers.
One of the reasons why experts are increasingly cautious about eKYC is the rapid development of generative AI.
If a few years ago, creating a fake face video required high technology, expensive equipment and good quality input data, now everything has become much simpler.

With just a few images publicly posted on social networks, modern AI tools can recreate a person's face, expressions, lip movements and even voice.
"AI and deepfake make faking faces, voices, expressions and videos easier, cheaper and more real. Previously, crooks needed high-quality photos or videos, now they only need data leaked on social networks to create fake content to try to bypass the eKYC system or trick employees, relatives, and customers," experts warn.
This trend is completely changing the game in the field of digital identity authentication. If criminals previously needed to steal passwords, they can now try to steal victims' faces. And unlike passwords, faces are something people cannot change if exposed.
According to Mr. Ngo Minh Hieu, although AI and deepfake are dangerous tools, the root of many incidents still comes from users revealing personal data.
"Both technology being bypassed and users revealing data are dangerous. However, the risk often starts from users revealing their CCCD, portrait photo, facial video, phone number or bank account. When this data is collected enough, criminals can combine it with AI, deepfake, SIM hijacking or malware to bypass many layers of security," experts said.

This is also the reason why scams have continuously appeared recently asking people to update biometrics, verify accounts or supplement banking information.
In many cases, the real goal of the crooks is not the money in the account immediately, but rather to collect data for future attacks.
Experts recommend that people should be especially wary when someone requests to provide ID cards, facial photos, record video verification, install strange applications or access links of unknown origin.

"The bank does not require customers to provide OTP, password or biometric authentication through strange links," he emphasized.
Despite facing many new challenges, experts believe that eKYC is still a necessary technology and there is no solution capable of completely replacing it in the near future. However, the authentication method will have to change.
According to Mr. Ngo Minh Hieu, in the next 3-5 years, Vietnam needs to switch from a single-layer authentication model to multi-layer authentication based on risk assessment.
Instead of just checking the face, the system needs to simultaneously evaluate the login device, user behavior, access location, data source, camera authenticity as well as signs of deepfake or tampered data.

"In addition to the face, the system needs to check the device, user behavior, login location, real camera, signs of deepfake, data injected into the application and check with a trusted data source. Biometrics are still necessary, but must be accompanied by anti-spoofing, anti-deepfake technology and real-time monitoring of unusual transactions," Mr. Hieu commented.
In the race between security technology and cybercrime, AI is being used on both sides. One side uses AI to create increasingly sophisticated forms of forgery. The other side uses AI to detect unusual behavior and prevent fraud.

That means eKYC will continue to play an important role in the digital economy. However, the days of looking at faces as absolute proof of authenticity may be over.
When AI can create a face that blinks, smiles and speaks, the question is no longer "can biometrics be bypassed or not", but what the system will do to recognize who is the real person.